This document summarizes best practices for building an application security program at a startup. It recommends getting organizational buy-in, building a security team by networking and attending events, and shifting security left by training developers. It also discusses implementing threat modeling, carefully vetting security vendors, embedding security engineers with developer teams, and continuing to improve processes over time. The overall message is that security is a collaborative effort involving the whole company.

1. Year[0]
AppSec at a Startup

2. About Me
● Red Team at Redspin
● SB OWASP + AppSec California + Bay Area OWASP
● Green Team at Bugcrowd
● Blue Team at Segment

3. The Slides are Online, I’m Online
● TODO
● @leifdreizler
TODO

4. Topics
1. Building a Team
2. Shifting Left
3. Training
4. Threat Modeling
5. Vendor Adoption
6. Engineering Embed Program
7. What’s Next?
@leifdreizler

5. Organizational Buy In
● Whole company needs to care about security
● Engineering time
● $ecurity Headcount

6. Building a Team
● Host/speak/sponsor meetups
● Attend conferences
● Tap into your network

7. Building a Team
● Host/speak/sponsor meetups
● Attend conferences
● Tap into your network

8. Building a Team
● Host/speak/sponsor meetups
● Attend conferences
● Tap into your network
● Meet up w/ other security teams, exchange info

9. Security Goes Left

10. Security Goes Left
● Hard to staff a large security org
● Not efficient to find bugs in prod
Source: https://www.experimentus.com/itm/W_06_00055_The_Cost_of_Defects.htm

11. Security Goes Left
Tanya Janca, @shehackspurple Source: https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95
● Devs want to build good software
● Devs need to be security minded
● Hard to staff a large security org
● Not efficient to find bugs in prod

12. Training
● Part 1 - Think Like an Attacker
● Part 2 - Secure Code Review
Source: Security Solutions for Hyperconnectivity and the Internet of Things

13. Think Like an Attacker - Creating Relevant Content
● Bug bounty submissions
● Pentests
● Internal findings
Training - Think Like an Attacker

14. Pre Training Setup
● Install OWASP Juice Shop
● Install Burp Suite Community
Training - Think Like an Attacker

15. OWASP Juice Shop
Source: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
Training - Think Like an Attacker

16. Hands-On Training Schedule
1. Vuln category 1 (Slides + Examples)
2. Vuln category 2
3. Interactive Training (Burp Suite + Juice Shop)
4. Vuln category 3
5. Vuln category 4
6. Interactive Training
Source: https://www.dreamstime.com/royalty-free-stock-photography-computer-hacker-hands-image8278907
https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/
Training - Think Like an Attacker

17. Hands-on Training
Training - Think Like an Attacker

18. Training - Think Like an Attacker

19. Secure Code Review
● XSS
● Broken Access Control
● Secrets management
● Error handling
● SSRF
● Crypto
Influenced by OWASP Secure Coding Cheat Sheet
● Defence Against the Dark Web, etc.
Training - Secure Code Review
Source: Your Personal Password Vault: A Password Journal and Logbook

20. Leif’s Hawaiian Shirt Store
Leif has rushed through building a new Hawaiian shirt store with React. Is there
anything wrong with it?
server.jsApp.js
Training - Secure Code Review

21. App.js
Training - Secure Code Review

22. server.js
Training - Secure Code Review

23. AppSec Training
● Meet new eng hires
● Common vuln types
● “Security Judgment”
● Think about PRs in new ways
● Have fun!
Training - Secure Code Review

24. Reviews
Training

25. Training

26. Threat Modeling
@jonathanmarcil - https://www.youtube.com/watch?v=KGy_KCRUGd4

27. Threat Modeling
Threat Modeling

28. Threat Modeling
Threat Modeling
Source: https://reqtest.com/general/a-bug-goes-skateboarding-on-boehms-curve/

29. Threat Model Prep
● Eng Team provides Sec with:
○ Links to repos
○ Architecture Diagrams
○ Docs
Threat Modeling
Source: https://articles.microservices.com/an-alternative-way-of-visualizing-microservice-architecture-837cbee575c1

30. Threat Model Prep
● Eng Team provides Sec with:
○ Links to repos
○ Architecture Diagrams
○ Docs
● Everyone should be thinking
about threats
○ Bonus points for getting
EM/PMs involved
Threat Modeling
Source: https://thegeekyleader.com/2014/12/07/good-and-bad-software-engineering-manager/

31. Threat Model
● Our process works best w/ 2+ people from Sec
○ Leader + Note-taker
● Leader keeps the conversation moving
● Note-taker creates Attack Tree and Issue Spreadsheet
Threat Modeling

32. Issue Spreadsheet
Threat Modeling

33. Jonathan Marcil: Threat Modeling Toolkit AppSecCali 2018
Threat Modeling

34. Attack Tree
Threat Modeling
Source: https://schd.ws/hosted_files/appseccalifornia2018/54/Threat%20Modeling%20Toolkit%20-%20AppSecCali.pptx

35. Threat Modeling Benefits
● Great way to meet engineers
● Information exchange
○ Get engineers thinking about security in new ways
○ Learn more about systems you’re supposed to help protect
● Uncover existing risks
● Prevent problems in future development
Threat Modeling

36. Vendor Adoption
● Consistent eval process
● Partner with Eng During Trial Process
Source: https://www.itbusinessedge.com/slideshows/nine-questions-to-ask-when-selecting-a-security-vendor.html

37. Example - SAST
● Slow
● Designed for enterprise
● Expensive
● Requires lots of tuning (if available)
Vendor Adoption

38. Example - Snyk
● Security eval - tested on various repos
● Partnered with App team
● Presented at Eng all hands
● Security submitted PRs to core repos
● Wrote Integration with Directory
Vendor Adoption
Snyk is a tool to help companies manage vulnerabilities in their dependencies.

39. Directory Integration
Vendor Adoption

40. Vendor Adoption

41. Bug Bounty
● Pre-bounty prep
● Outsource management
● Start small
● Pay for anything that gives value
● Be clear about what matters
Playing Nice with Hackers
Source: https://www.ixxiyourworld.com/en/products/ixxi-images/boba-fett-film-poster/

43. Full Stack (Security) Engineering
Write Code
● Meet developers, designers, product managers
● Deeper understanding of engineer process
● Learn more about the code base you’re protecting
● Diversify your skillset
Walk a mile in the developer’s code

44. Security ➡ Engineering Embed Program
Write Code
● Get appropriate buy-in
● Go through design process
● Create documentation
● Write good test cases
● Follow deployment procedures
Follow the Normal Process

45. Security ➡ Engineering Embed Program
Write Code
● Fix bugs or work on small features
● Medium/Large non-security feature
● Security-related feature
Fix Bugs, Build Tools, Write Features

46. Write Code

47. Security ➡ Engineering Embed Program
● Great way to meet devs
● Shows you can build useful features/tools
● Bring back knowledge to the security team
● Sec learns eng process/tooling/constraints
Write Code
0
1
2
3
4
5
Front-end PM Full-stack Design Marketing Copy

48. Security ➡ Engineering Embed Program
Write Code
● Great way to meet devs
● Shows you can build useful features/tools
● Bring back knowledge to the security team
● Sec learns eng process/tooling/constraints

49. What’s Next?
● Security 1337erboard
What’s Next?

50. What’s Next?
● Security 1337erboard
● CTF
What’s Next?

51. What’s Next?
● Security 1337erboard
● CTF
● Engineering ➡ Security Embed
What’s Next?
#33

52. What’s Next?
● Security 1337erboard
● CTF
● Engineering ➡ Security Embed
What’s Next?
● Self-service security
● Have Better Security Metrics
Source: https://sm.asisonline.org/Pages/In-Search-of-Security-Metrics.aspx

53. Influential Presentations
● Starting an AppSec Program: An Honest Retrospective - John Melton
● We Come Bearing Gifts: Enabling Product Security with Culture and Cloud -
Astha Singhal/Patrick Thomas
● Twubhubbook: Like an AppSec Program, but for Startups - Neil Matatall/
Brent Johnson
● Pushing Left, Like a Boss - Tanya Janca
#1 - https://www.youtube.com/watch?v=ETkHISgEh3g
#2 - https://www.youtube.com/watch?
v=L1WaMzN4dhY
#3 - https://www.youtube.com/watch?
v=JEE7wXHa1kY
#4 - https://www.youtube.com/watch?v=8kqtrX6C10c

54. In Case of Emergency
● Compliance requirements (GDPR, ISO27001, etc.)
● Recent Pentests (shown to customers)
● Customer security questionnaires
● My peers at companies x, y, an z do thing

55. Summary
• Get Involved!
• Build Your Dream Team

56. Summary
• Get Involved!
• Build Your Dream Team
@leifdreizler
• Vulnerabilities are Just Bugs
• Security is Everyone’s Job
• “Security Judgment”
• Successfully Partner Cross-functionally
• Reduce Operational Work
• Save your No’s

57. Summary
• Get Involved!
• Build Your Dream Team (this includes developers!)
@leifdreizler
• Vulnerabilities are Just Bugs
• Security is Everyone’s Job
• “Security Judgment”
• Successfully Partner Cross-functionally
• Reduce Operational Work
• Save your No’s

58. Closing Thoughts

59. TODO - Slide Link
@leifdreizler